|
|
[Home]
[Databases]
[WorldLII]
[Search]
[Feedback]
South African Law Commission |
[Database Search] [Name Search] [Previous] [Next] [Download] [Help]
4.1 As indicated in the previous chapter, there are many international examples where unacceptable activities relating to computers are made subject to criminal sanction. It is proposed that the same should apply in South Africa. To achieve this the relevant offences should be established by statute. It is therefore proposed that a “Computer Misuse Act” be developed for this purpose.
4.2.1 One of the most widely criminalised activities concerning unauthorised use of computers is unauthorised access to computers. It is proposed that a similar offence be established in South Africa. Careful consideration should, however, be given to the manner in which the elements of such an offence are described.
4.2.2 The methods used to define this criminal activity differ widely from one country to the next. The international examples referred to in the previous chapter reflect a few approaches to the description of the criminal action, each focussing on a different level of access which is prohibited.
4.2.3 One approach is to protect the information on a computer by targeting the functions performed by a computer. In these cases the criminal action entails causing the computer to perform a certain function. This must be coupled with a specific intent to secure access to information stored on a computer.[116]
4.2.4 A more direct approach is to protect the information on the computer itself against unlawful access or procurement. In these cases the criminal action is described with reference to the information stored on the computer and does not include any reference to the method by means of which access is obtained.[117]
4.2.5 A third approach is to focus on the computer itself. In these cases the criminal action is described as a two-phased action where the first phase is gaining access to a computer. This may be coupled with the commission of other subsequent acts which will be the second phase.[118]
4.2.6 Yet another approach is to define the criminal action with reference to the obtaining of a computer service. The service can include the data processing functions of a computer, in other words the mere use of a computer, as well as data retrieval from a computer.[119]
4.2.7 It is proposed that a wide description of the criminal action be adopted. This description should be aimed at protecting the computer data or software applications stored on a computer system without being limited by references to specific methods by means of which the access is to be obtained. The criminal action of this offence should therefore be described as the obtaining of access to any data and software applications stored on a computer system. In this regard the offence of unlawful access should be comparable to the offence of trespass in terms of physical premises.
4.2.8 The access component of the criminal action should include any manner by means of which a person is enabled to take account of the computer data or use the software applications. Access should therefore be a wide concept and should include all means of taking account of computer data or software applications or of having it output from the computer in which it is held, including on a monitor, printer or storage medium. It should be irrelevant to the description of the criminal action whether the monitor, printer, storage medium or other output device is attached to the computer in which the data or software applications are held or not. In other words it should not only include all instances of copying, moving, or using computer data or software applications but also the mere becoming aware thereof.
4.2.9 The element of unlawfulness will be what distinguishes the lawful use of a computer from usage which should be subjected to criminal sanction. This element should be expressed by means of a reference to an absence of authority to obtain the access in question.
4.2.10 The absence of authority is an objectively determinable element. It will be determined with reference to the circumstances of each case. An absence of authority should, in the first instance, entail absence of the permission of the owner or the person lawfully in charge of the computer data or software applications in question. In this regard it must be noted that it is not the absence of permission by the person in charge of the computer by means of which the access is obtained that determines the unlawfulness of that access, but rather the absence of permission by person in charge of the affected computer data or software applications.
4.2.11 The concept of authority entails more than just the permission of the owner or the person lawfully in charge. There are other examples of cases where a person will have authority to access computer data or software applications, such as where the access is authorised in terms of a search warrant.
4.2.12 The form of culpability of the unlawful access offence should be intent. The intent should be directed at all the elements of the offence. This implies that the accused must have had the intent to obtain access to the computer data or software applications in question, as well as that he or she must have had knowledge of the unlawfulness thereof.
4.2.13 Knowledge of unlawfulness in these circumstances means that the accused knew that he or she had no authority to access the computer data or software applications in question. The knowledge component of the intent should be interpreted sufficiently widely to include cases of willful blindness. The knowledge component should therefore be interpreted to include circumstances where the accused suspected that he or she might not have authority to access the computer data or software applications in question but nevertheless proceeded to gain access thereto without confirming the presence or absence of the requisite authority. This aspect is, however, not expressly addressed in the proposed Bill as it already forms part of the element of culpability of the proposed offence.
4.2.14 In some of the foreign examples of an unauthorised access offence the element of intent is qualified by a reference to specific motives for the access. These include to cause damage or to make unauthorised modifications to the contents of a computer. In our view this approach is too restrictive. The element of intent should not be linked to a specific purpose or motive for which the unauthorised access is obtained. Again the analogy should be with the offence of trespass in terms of physical premisses.
4.2.15 Based on these remarks it is proposed that the following statutory description be used for the unlawful access offence:
|
Unauthorised access to or obtaining of applications or data in computer
system
... Any person who intentionally and without authority to do so,
accesses or obtains any application or data held in a computer system, is guilty
of an offence.
|
4.2.16 It is further proposed that certain concepts be defined in an interpretation clause to assist in the interpretation and application of this offence:
|
Definitions and interpretation
... (1) In this Act, unless the context indicates
otherwise—
“access” in relation to an application or data means
rendering that application or data, by whatever means, in a form that would
enable a person, at the time when it is so rendered or subsequently, to take
account of that application or data and includes using the application or data
or having it output from the computer system in which it is held in a displayed
or printed form, or to a storage medium or by means of any other output device,
whether attached to the computer system in which the application or data are
held or not;
“application” means a set of instructions that, when executed
in a computer system, causes a computer system to perform a function, and
includes such a set of instructions held in any removable storage medium which
is for the time being in a computer system; and
“computer system” means an electronic, magnetic, optical,
electrochemical, or other data processing device, or a group of such
interconnected or related devices, one or more of which is capable
of—
(a) containing data; or
(b) performing a logical, arithmetic, or any other function in
relation to data;
“data” means any representation of information, knowledge,
facts or concepts, capable of being processed in a computer system, and includes
such a representation held in any removable storage medium which is for the time
being in a computer system.
|
4.3.1 The modification of computer data and software applications is also a common form of computer misuse. It is therefore proposed that a similar offence be established in South Africa.
4.3.2 Similar to the unauthorised access offence it is proposed that the criminal action be widely defined. It should not be limited by any reference to specific methods by means of which the modification is made. The criminal action should therefore include any action which results in a modification of the computer data or software applications concerned.
4.3.3 The criminal action should not contain actual damage resulting from the modification as one of its components. The fact that a modification of computer data or software applications caused damage in any given case should be a factor to take into account upon sentencing.
4.3.4 This element should be expressed by means of a reference to an absence of authority to make the modification in question.
4.3.5 The absence of authority should entail absence of permission by the owner or the person lawfully in charge of the computer data or software applications in question. Similar to the unauthorised access offence, it must be noted that it is the absence of permission by the owner or the person lawfully in charge of the affected computer data or software applications that determines the unlawfulness of the modification.
4.3.6 It is recommended that intent should be the required form of culpability for the unlawful modification offence.
4.3.7 The element of intent would naturally include knowledge of the unlawfulness of the modification. In other words the accused must have known that he or she had no authority to cause the modification of the computer data or software applications in question. The knowledge component of the intent for this offence should be interpreted sufficiently widely to make it clear that it includes cases of willful blindness. Consequently the knowledge component should be interpreted to include circumstances where the accused suspected that he or she may not have had authority to cause the modification to the computer data or software applications in question, but nevertheless proceeded with his or her actions, without confirming the presence or absence of the requisite authority. This aspect is, however, not expressly addressed in the proposed Bill as it already forms part of the element of culpability of the proposed offence.
4.3.8 In some foreign examples of an unauthorised modification offence the element of intent is qualified by a reference to specific motives for the modification. These include to impair the operation of a computer or to hinder access to information stored on a computer. In our view this approach is too restrictive. The element of intent should therefore not be linked with a specific purpose or motive for which the unauthorised modification is effected. Instead these motives may form the subjects of separate offences which are not necessarily connected to the unauthorised modification of computer data or software applications.
4.3.9 Based on these remarks it is proposed that the following statutory description be used for the unlawful modification offence:
|
Unauthorised modification of applications or data in computer
system
... (1) Any person who intentionally and without authority to do so,
performs an act causing any application or data held in a computer system to be
modified, destroyed or erased or otherwise rendered ineffective is guilty of an
offence.
|
4.3.10 It is also proposed that the insertion of computer data or software applications be criminalised on the same basis as the modification of existing computer data or software applications:
|
(2) Any person who intentionally and without authority to do so inserts
any application or data in a computer system is guilty of an offence.
|
4.4.1 Apart from the actual unauthorised access and modification offences, there are a few related activities which should also be criminalised. These are the development and trafficking in devices or applications which are primarily used to obtain unauthorised access and the trafficking in passwords. It is also proposed that other activities relating to interfering with the lawful use of a computer be criminalised.
|
Development and trafficking in devices or applications which are
primarily used to obtain unauthorised access
... Any person who, without lawful justification, develops,
manufactures, produces, imports, exports, procures for use, or makes available,
a device or application designed or adapted to make it primarily useful for
accessing or for modifying, destroying or erasing or otherwise rendering
ineffective an application or data held in a computer system without authority
to access, modify, destroy or erase or otherwise render ineffective that
application or data, is guilty of an offence.
Trafficking in computer passwords
... Any person who makes available any password or similar
information by means of which an application or data held in a computer system
can be accessed without authority to access that application or data, is guilty
of an offence.
Interference with use of computer system
... Any person who—
(a) prevents or hinders access to any application or data in a
computer system;
(b) impairs the effectiveness or reliability of any application or
data in a computer system, or
(c) impairs the operation of a computer system,
is guilty of an offence.
|
4.5.1 It is suggested that certain procedural matters also be addressed in relation to the misuse of computers. These should at least address the issues of search and seizure, admissibility of evidence and jurisdiction.
4.5.2 In this paper the proposed procedural provisions are included in the proposed Computer Misuse Bill. An alternative option is to insert provisions dealing with procedural aspects in relation to the misuse of computers into the Criminal Procedure Act, 1977, where it will fit in with the general provisions on seach and seizure, for instance.
|
Specific comment on the correct placement of the procedural provisions are
invited.
|
4.5.3 The first of the procedural issues to be addressed is that of search and seizure. It was pointed out above that computers are increasingly linked with other computers to form networks. A computer network can span a building, a province, a country and even the globe. The interconnectivity of computers makes it possible to store information on a computer situated in a remote location which need not even be in the same country as the computer used to store the information.
4.5.3.1 The possibilities for the storing of information via networks demand a different approach toward the search and seizure of such information. For this reason the following provision is proposed:
|
Search and Seizure
... (1) The State may seize any computer system or take any samples
or copies of applications or data–
(a) that is concerned in or is on reasonable grounds believed to be
concerned in the commission or suspected commission of an offence, whether
within the Republic or elsewhere;
(b) that may afford evidence of the commission or suspected
commission of an offence, whether within the Republic or elsewhere; or
(c) that is intended to be used or is on reasonable grounds believed
to be intended to be used in the commission of an offence.
(2) Subject to subsection (5), a computer system referred to in subsection
(1) may be seized, or samples or copies of applications or data referred to in
that subsection may be taken, only by virtue of a search warrant.
(3) The provisions of section 21 of the Criminal Procedure Act, 1977 (Act
No. 51 of 1977) shall apply with the necessary changes to the issue and
execution of a search warrant referred to in subsection (2).
(4) An investigating official executing a search warrant referred to in
subsection (2), may-
(a) at any time search for, have access to, and inspect and check
the operation of any computer system, application or data if that official on
reasonable grounds believes it to be necessary to facilitate the execution of
that search warrant; and
(b) require any person having charge of, or being otherwise
concerned with the operation, custody or care of a computer system, application
or data to provide him or her with the reasonable assistance that may be
required to facilitate the execution of that search warrant.
(5) An investigating official may without a search warrant referred to in
subsection (2) seize any computer system or take any samples or copies of
applications or data or perform any of the actions referred to in subsection
(4)–
(a) if the person having charge of, or being otherwise concerned
with the operation, custody or care of a computer system, application or data
consents thereto; or
(b) if that official on reasonable grounds believes–
(i) that a search warrant will be issued under subsection (2) if he or she
applies for such a warrant; and
(ii) that the delay in obtaining such a warrant would defeat the object of
the search.
(6) In seizing any computer system or taking any samples or copies of
applications or data or performing any of the actions referred to in subsection
(4), whether by virtue of a search warrant or in terms of subsection (5) an
investigating official shall have due regard for the rights and interests of any
person affected thereby to carry on his or her normal activities.
(7) Any person who obstructs, hinders or threatens an investigating
official in the performance of his or her duties or the exercise of his or her
powers in terms of this section, is guilty of an offence
|
4.5.4 The next procedural issue to be considered is that of admissibility of evidence. The offences proposed in this chapter will by nature involve a computer in their commission. It is therefore extremely likely that either the computer itself or a print-out of the information stored on the computer will have to be produced in court in order to prove the relevant offence.
4.5.5 As was indicated above, there is some uncertainty as to the nature of computer-generated evidence. This raises a number of issues as to how the admissibility of such evidence should be determined. In order to facilitate the prosecution of the relevant offences the following provision is proposed:
|
Evidence
... (1) Notwithstanding the provisions of any law, information in
any medium, including but not confined to data or computer output, shall be
admissible as evidence of any fact stated therein in any criminal proceedings in
terms of this Act, if it is shown–
(a) that a standard or best procedure, acceptable to the court, has
been followed in obtaining the information concerned;
(b) in the event of any departure from such procedure which, in the
opinion of the court, is not gravely prejudicial to the accused, such
information shall still be admissible as evidence, but the court may then attach
correspondingly less weight to such evidence.
(2) For the purposes of deciding on the admissibility and weight of the
evidence referred to in subsection (1), the court may draw any reasonable
inferences from the circumstances in which the application or data was found, or
was originally made or came into being.
|
4.5.6 The last of the procedural issues to be addressed is jurisdiction. It is very easy to distribute information over a network in such a way that parts of the relevant in formation are located in one jurisdiction and other parts of it are located in another. The fact that computers can be inter-connected even across national borders makes the extension of the courts’ ability to apply the offences proposed above a necessity.
4.5.7 This means that a wider concept of the courts’ territorial jurisdiction must be applied when approaching the offences to be established in relation to the unauthorised access and modification of computer data or software applications.
4.5.8 It is certainly no understatement to say that the advent of the Internet and e-mail facilities has created a borderless world as far as computer networks are concerned. One has only to recall the effects of recent virus attacks such as those of the “Melissa” and “I love you” viruses to illustrate this point. Both these viruses spread across the globe in a matter of hours.
4.5.9 To make it clear what our courts’ jurisdiction would be in relation to the offences to be created in the proposed Computer Misuse Act, the following provision is proposed:
|
Territorial jurisdiction
... (1) The provisions of this Act shall apply in relation to any
person, whatever his or her nationality or citizenship, outside or within the
Republic if—
(a) that person was within the Republic at the time the offence was
committed; or
(b) the relevant computer system, application or data was within the
Republic at that time.
(2) If an offence under this Act was committed by any person outside the
Republic, that person may be dealt with as if the offence was committed within
the Republic.
|
[116] The UK Computer Misuse Act 1990 and the Singapore Act.
[117] The German Criminal Code and the Crimes Act 1914 of Australia.
[118] The US Computer Fraud and Abuse Act 1986 and the draft Convention of the Council of Europe.
[119] The Canadian Criminal Code.
SAFLII:
|
|
Terms of Use
|
Feedback
URL: http://www.saflii.org/za/other/zalc/dp/99/99-CHAPTER-4.html